![]() ![]() If you aren’t familiar with the developer backdoor in RouterOS, here is a very quick rundown: Since RouterOS 3.x the system was designed to give you a root busybox shell over telnet or ssh if a special file exists in a specific location on the system (that location has changed over the years). This shouldn’t actually be possible, but thanks to the magic of vulnerabilities it is. However, that’s only because I’ve exploited the router and enabled the developer backdoor. Above, I’ve included a screenshot where I appear to have a root shell. The other thing that’s important to know is that users don’t actually have access to a real shell on RouterOS. ![]() The trick is figuring out how to use that space to achieve and maintain execution. While all of the system’s executables appear to reside within read-only space, there does appear to be some read-write space, both tmpfs and persistent, that an attacker can manipulate. ![]() The storage the user has access to as seen from a root shell and Webfig ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |